By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,230 Members | 2,471 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,230 IT Pros & Developers. It's quick & easy.

Poor man's captcha: why wouldn't this work?

P: n/a
Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.

1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.

2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.

We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.

3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.

4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits

we get from the exploded comma-delimeted session var #2.
We set those <b class="yy"tags to the color known (only to us)
to be red.

5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.

6) Now we do another post, asking the user to tell us which
of the 256 digits are red.

7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.

Sep 20 '06 #1
Share this Question
Share on Google+
12 Replies


P: n/a

pittendrigh wrote:
Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
....ok, the spammer is not sitting at a keyboard, it's a bot.
That's why we need a poor man's captcha.

Sep 20 '06 #2

P: n/a
pittendrigh wrote:
Now we echo the string of <btags. Six out of the 256 randomly generated
digits will be red, all the others some undetermined color. But we know
which ones are red.
Not if the user is colorblind. Perhaps it would be possible to make some of
the numbers bolded, italicized, or sized differently from the others.
Basing anything on color, though, is a big accessibility issue that is
easily avoided in this case.

--
Benjamin D. Esham
bd*****@gmail.com | AIM: bdesham128 | Jabber: same as e-mail
"...English is about as pure as a cribhouse whore. We don't just
borrow words; on occasion, English has pursued other languages
down alleyways to beat them unconscious and rifle their pockets
for new vocabulary." — James Nicoll
Sep 20 '06 #3

P: n/a
pittendrigh wrote:
Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.

1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.

2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.

We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.

3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.

4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits

we get from the exploded comma-delimeted session var #2.
We set those <b class="yy"tags to the color known (only to us)
to be red.

5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.

6) Now we do another post, asking the user to tell us which
of the 256 digits are red.

7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.
It would work (other than the color-blindness Benjamin mentioned).

But why go to all that trouble when there are several captcha routines
out there for your use?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Sep 20 '06 #4

P: n/a
But why go to all that trouble when there are several captcha routines
out there for your use?
Tell me tell me.
I spent about an hour surfing Google for cut-and-paste php captcha
stuff.
But nothing worked.

One died on my linux box because I didn't have truetype fonts.
Another died when I hadn't paid for a "registration key"
That pissed me off and I decided to try and roll my own.

If I knew the location of a useable captcha package I'd use it.

Sep 20 '06 #5

P: n/a
pittendrigh wrote:
>>But why go to all that trouble when there are several captcha routines
out there for your use?


Tell me tell me.
I spent about an hour surfing Google for cut-and-paste php captcha
stuff.
But nothing worked.

One died on my linux box because I didn't have truetype fonts.
Another died when I hadn't paid for a "registration key"
That pissed me off and I decided to try and roll my own.

If I knew the location of a useable captcha package I'd use it.
There are any number of them around. You might try www.hotscripts.com
for a start. Also www.freshmeat.com, www.phpclasses.org...

Just searching google for

captcha php

came up with most of the above (except hotscripts) and more on the first
page. Most with usable code. But you generally have to have the gd
libs installed and running properly for any captcha to work.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Sep 20 '06 #6

P: n/a
"pittendrigh" <Sa***************@gmail.comwrote in message
news:11**********************@k70g2000cwa.googlegr oups.com...
Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.

1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.

2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.

We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.

3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.

4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits

we get from the exploded comma-delimeted session var #2.
We set those <b class="yy"tags to the color known (only to us)
to be red.

5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.

6) Now we do another post, asking the user to tell us which
of the 256 digits are red.

7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.

Instead of coloring certain numbers to random colors, why not just make the
invisible using visibility:hidden; display:none; -works for colorblind
people as well. That leaves us just the blind. You should set the letters
inaudible as well for screenreader using volume:silent; speak:none;
So your hiding css mask would be:
..xx {
visibility:hidden;
display:none;
volume:silent;
speak:none;
}

--
"Ohjelmoija on organismi joka muuttaa kofeiinia koodiksi" - lpk
http://outolempi.net/ahdistus/ - Satunnaisesti päivittyvä nettisarjis
sp**@outolempi.net || Gedoon-S @ IRCnet || rot13(xv***@bhgbyrzcv.arg)
Sep 20 '06 #7

P: n/a

Benjamin Esham wrote:
Not if the user is colorblind. Perhaps it would be possible to make some of
the numbers bolded, italicized, or sized differently from the others.
Basing anything on color, though, is a big accessibility issue that is
easily avoided in this case.
Bolded fonts would work for the color blind.
The blind would be out of luck. But this is a boat building site,
and (unfortunately) the blind can't build boats anyway.

My idea would be too easy to crack for widespread use.
But if I put it on my boat building forum only, no one would take
the time to crack it, just to post a few porno links on my site.

So I think I'll do it, instead of searching for a well-known captcha
package. Should take no more than a few hours to code.

Thanks for the feedback.

Sep 20 '06 #8

P: n/a
I've always thought that the whole use of graphics images could be
avoided completely, and even keep text-readers for the blind happy, with
something like this...

Have a database of common questions and answers, and even allow
registered users to submit more questions, so it's a never-ending battle
for the spammer to try to predict ALL the questions, as loyal site
visitors contribute to the battle against spam.

Q: What type of plant is commonly found in a forest?
A: tree

Q: What is the sum of two plus three?
A: five

Q: What is the color of the sky?
A: blue

Q: What type of animal loves to chase cats and cars?
A: dog

You get the idea. Though I like the CSS route too. Very creative.

-GC
In article <11**********************@k70g2000cwa.googlegroups .com>,
Sa***************@gmail.com says...
Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.

1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.

2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.

We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.

3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.

4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits

we get from the exploded comma-delimeted session var #2.
We set those <b class="yy"tags to the color known (only to us)
to be red.

5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.

6) Now we do another post, asking the user to tell us which
of the 256 digits are red.

7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.
Sep 20 '06 #9

P: n/a
>Let's say we're trying to keep blog and forum spammers out
>of our site--we're not trying to protect fort knox.

1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.

2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.

We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.

3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.

4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits
As I understand it, you're going to have a bunch of html like:
<b class="urk">5</b>
<b class="bog">6</b>
<b class="kub">3</b>
....

Exploit (although it does require some bot programming):
Spammer counts number of times urk, bog, kub, nom, val, and tov occur.
Whichever one appears 6 times, is the correct one. Use the corresponding
digits. If there's more than one, guess.

Actually, even a 1-in-6 guess on the colors with no counting isn't
bad for a spammer who's hammering your web server unless you've got
other traps like IP banning after so many bad tries.

Also, remember that the HTML tells the bot which css file is the
correct one, and it could fetch it and parse it.

Sep 21 '06 #10

P: n/a
The blind can't build boats - I have to disagree my friend -
http://66.102.9.104/search?q=cache:h...&ct=clnk&cd=16

Joe

"pittendrigh" <Sa***************@gmail.comwrote in message
news:11**********************@k70g2000cwa.googlegr oups.com...
Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.

1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.

2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.

We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.

3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.

4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a <b class="xx">$digit</b>
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits

we get from the exploded comma-delimeted session var #2.
We set those <b class="yy"tags to the color known (only to us)
to be red.

5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.

6) Now we do another post, asking the user to tell us which
of the 256 digits are red.

7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.

Sep 21 '06 #11

P: n/a
I have made a CAPTCHA that requires no GD library, TrueType fonts or
database.

see an example of it by visiting:
http://www.ThePhpPro.com/products/captcha/

- Tim

Jerry Stuckle wrote:
There are any number of them around. You might try www.hotscripts.com
for a start. Also www.freshmeat.com, www.phpclasses.org...

Just searching google for

captcha php

came up with most of the above (except hotscripts) and more on the first
page. Most with usable code. But you generally have to have the gd
libs installed and running properly for any captcha to work.
Oct 11 '06 #12

P: n/a

Klaus Brune wrote:
I've always thought that the whole use of graphics images could be
avoided completely, and even keep text-readers for the blind happy, with
something like this...
<snip>

I've written an accessible captcha system, which asks random multiple
choice questions,
it's available under the gpl with all php source code
http://system-x.info/?pageid=18&menutree=47

Oct 12 '06 #13

This discussion thread is closed

Replies have been disabled for this discussion.